Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752841AbcD0Q64 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 27 Apr 2016 12:58:56 -0400
Received: from quartz.orcorp.ca ([184.70.90.242]:40913 "EHLO quartz.orcorp.ca"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753541AbcD0Q6u (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 27 Apr 2016 12:58:50 -0400
Date: Wed, 27 Apr 2016 10:58:46 -0600
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>,
        linux-security-module@vger.kernel.org,
        tpmdd-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: [PATCH] tpm: Fix IRQ unwind ordering in TIS
Message-ID: <20160427165846.GA17064@obsidianresearch.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Broken-Reverse-DNS: no host name found for IP address 10.0.0.160
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1460
Lines: 38

The devm for the IRQ was placed on the chip, not the pdev. This can
cause the irq to be still callable after the pdev has been cleaned up
(eg priv kfree'd).

Found by CONFIG_DEBUG_SHIRQ=y

Reported-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fixes: 233a065e0cd0 ("tpm: Get rid of chip->pdev")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by:  Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 drivers/char/tpm/tpm_tis.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
index a6b2d460bfc0..d88827046a42 100644
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -387,7 +387,7 @@ static void disable_interrupts(struct tpm_chip *chip)
 	intmask &= ~TPM_GLOBAL_INT_ENABLE;
 	iowrite32(intmask,
 		  priv->iobase + TPM_INT_ENABLE(priv->locality));
-	devm_free_irq(&chip->dev, priv->irq, chip);
+	devm_free_irq(chip->dev.parent, priv->irq, chip);
 	priv->irq = 0;
 	chip->flags &= ~TPM_CHIP_FLAG_IRQ;
 }
@@ -604,7 +604,7 @@ static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask,
 	struct priv_data *priv = dev_get_drvdata(&chip->dev);
 	u8 original_int_vec;
 
-	if (devm_request_irq(&chip->dev, irq, tis_int_handler, flags,
+	if (devm_request_irq(chip->dev.parent, irq, tis_int_handler, flags,
 			     dev_name(&chip->dev), chip) != 0) {
 		dev_info(&chip->dev, "Unable to request irq: %d for probe\n",
 			 irq);
-- 
2.1.4